Innominate mguard. Application Note. How to setup an VPN connection between mguard Secure VPN Client and the mguard

Transcription

1 Innominate mguard Application Note How to setup an VPN connection between mguard Secure VPN Client and the mguard Innominate Security Technologies AG Rudower Chaussee Berlin, Germany Phone: +49 (0) Fax: +49 (0) contact@innominate.com

2 Table of Contents 1 Disclaimer 3 2 Introduction 4 3 X.509 Certificates 5 4 Configuring the mguard Import of the mguard Machine Certificate Configuring the VPN Connection General Settings Authentication Firewall IKE Options 10 5 Configuring the VPN Client Certificate Import CA Certificate VPN Client Certificate Basic Configuration with the Wizard Specific Connection Settings Start/Stop the VPN Connection 17 6 Troubleshooting Error: VPN gateway not responding (waiting for Msg 2) Logbook: Could not contact Gateway (No response) in state <Wait for Message 2> Is the default gateway reachable? Is the Internet reachable? Is the specified IP address/dns name of the remote VPN peer correct? Does the VPN initiating packet reach the mguard? mguard log: no connection has been authorized with policy Logbook: Could not contact Gateway (No response) in state <Wait for Message 6> mguard Log: no suitable connection for peer mguard Log: ISAKMP Hash Payload has an unknown value after STATE_MAIN_R Error: PKI error Error: IKE (phase 2) Waiting for Msg Logbook: RECEIVED : INVALID_ID_INFORMATION after SUCCESS: IKE phase 1 ready mguard Log: cannot respond to IPsec SA request because no connection is known for Logbook: RECEIVED : NO_PROPOSAL_CHOSEN after SUCCESS: IKE phase 1 ready mguard Log: IPsec Transform [...] refused due to strict flag Required Data when requesting Support 23 Document ID: I15004_en_01 Version 1.1 Page 2 of 23

3 1 Disclaimer Innominate Security Technologies AG June 2015 Innominate and mguard are registered trademarks of the Innominate Security Technologies AG. All other brand names or product names are trade names, service marks, trademarks, or registered trade marks of their respective owners. mguard technology is protected by the German patents # and # Further national and international patent applications are pending. No part of this documentation may be reproduced or transmitted in any form, by any means without prior written permission of the publisher. All information contained in this documentation is subject to change without previous notice. Innominate offers no warranty for these documents. This also applies without limitation for the implicit assurance of scalability and suitability for specific purposes. In addition, Innominate is neither liable for errors in this documentation nor for damage, accidental or otherwise, caused in connection with delivery, output or use of these documents. This documentation may not be photocopied, duplicated or translated into another language, either in part or in whole, without the previous written permission of Innominate Security Technologies AG. Document ID: I15004_en_01 Version 1.1 Page 3 of 23

4 2 Introduction This document describes the required steps to configure a VPN connection between the mguard Secure VPN Client (referred to hereafter as VPN Client) and the mguard, using X.509 certificates for authentication. mguard Secure VPN Client (Build 21604) on Windows 7 and mguard 8.1 were used for this application note. The following diagram illustrates the machines and addresses involved in the connection. The examples in this document refer to this setup. The VPN Client initiates the VPN connection, the mguard waits for it. The VPN Client uses a virtual IP address (e.g /32), forwarding packets directed to this IP address through the tunnel automatically to the real IP address of the client. The functionality of the mguard Secure VPN Client is restricted to establish VPN connections to mguard VPN appliances only. Only one software VPN client shall be installed on a Windows system. If there is a software VPN client installed (e.g. Shrew Soft VPN Client), uninstall it before installing the mguard Secure VPN Client. If the mguard has a dynamic public IP address, it needs to register its IP address under a fixed name at a dynamic DNS service (e.g. mguard.dyndns.org). The VPN Client must refer to this name to establish the VPN connection to the mguard Document ID: I15004_en_01 Version 1.1 Page 4 of 23

5 3 X.509 Certificates You can use freeware tools like e.g. XCA or OpenSSL to create the required certificates or you may request them from a Microsoft CA server. Please refer to the document How to obtain X.509 certificates which is available through our homepage: The following certificates are required: A Certification Authority (CA) certificate. The PEM export of the CA is required when configuring the VPN Client. A CA signed mguard certificate. The PKCS#12 export of the mguard certificate has to be imported into the mguard through the menu Authentication > Certificates, tab Machine Certificates of the mguard Web UI. A CA signed VPN Client certificate. o o The PKCS#12 export of this certificate has to be imported into the VPN client. The PEM export of this certificate hat to be imported into the mguard when configuring the VPN connection, menu IPsec VPN > Connections, tab Authentication. You will be prompted to enter a password when exporting a certificate in PKCS#12 format. This password protects the PKCS#12 file, which contains the private key, against unauthorized usage. Document ID: I15004_en_01 Version 1.1 Page 5 of 23

6 4 Configuring the mguard The following steps are required to configure the VPN connection on the mguard: 1) Import of the mguard machine certificate, menu Authentication > Certificates, tab Machine Certificates. 2) Configuration of the VPN connection, menu IPsec VPN > Connections. 4.1 Import of the mguard Machine Certificate From the menu, select Authentication > Certificates, tab Machine Certificates. 1) Click the down arrow at the left to create a new line. 2) Click <Browse> and open the PKCS#12 export of the mguard certificate. 3) Enter the Password, which protects the certificate against unauthorized usage. 4) Click <Import>. The certificate identifying parameters (subject, issuer, etc.) are displayed. 5) Click <Apply>. The certificate can be chosen by its Shortname later on when configuring the VPN connection. Document ID: I15004_en_01 Version 1.1 Page 6 of 23

7 4.2 Configuring the VPN Connection Select IPsec VPN > Connections from the menu. 1) Click the down arrow at the left to create a new line. 2) Enter a descriptive name for the connection. 3) Click <Edit> General Settings 1) Verify that Address of the remote site s VPN gateway contains the value %any (default value). 2) Verify that Connection startup is set to Wait (default value). The mguard waits for the VPN connection. 3) Enter the internal network of the mguard as Local network, in our example /24. 4) Enter the virtual IP address of the VPN Client as Remote network, in our example /32. Document ID: I15004_en_01 Version 1.1 Page 7 of 23

8 4.2.2 Authentication 1) Verify that Authentication Method is set to X.509 Certificate (default value). 2) Select the mguard machine certificate (imported in chapter Import of the mguard Machine Certificate) by its shot name as Local X.509 Certificate. 3) Verify that Remote CA Certificate is set to No CA certificate, but the remote certificate below (default value). 4) Click <Browse> and open the PEM export of the VPN Client certificate. 5) Click <Upload>. The certificate identifying parameters (subject, issuer, etc.) are displayed in the section Remote Certificate. Document ID: I15004_en_01 Version 1.1 Page 8 of 23

9 4.2.3 Firewall The VPN firewall allows restricting the access through the VPN tunnel. You may configure the VPN firewall if required. The VPN firewall allows any incoming and outgoing traffic by default. Document ID: I15004_en_01 Version 1.1 Page 9 of 23

10 4.2.4 IKE Options The VPN Client provides default policies supporting 3DES/SHA1 and AES-256/SHA-512 for the ISAKMP SA and 3DES/SHA1 and AES-256/SHA-256 for the IPsec SA. We recommend using the strongest encryption and hash algorithms. Thus, we choose AES- 256/SHA-512 for the ISAKMP SA and AES-256/SHA-256 for the IPsec SA. 1) ISAKMP SA (Key Exchange): Specify the Encryption and Hash Algorithm for phase I, in our example AES-256/SHA ) IPSec SA (Data exchange): Specify the Encryption and Hash Algorithm for phase II, in our example AES-256/SHA-256. Click <Apply> to save the configuration. The VPN configuration on the mguard is finished now. Document ID: I15004_en_01 Version 1.1 Page 10 of 23

11 5 Configuring the VPN Client Start the VPN Client by selecting Start > Programs > mguard Secure VPN Client > Secure VPN Client Monitor. 5.1 Certificate Import CA Certificate Copy the PEM export of the CA certificate into the installation directory of the VPN Client (default: C:\Program Files\Innominate\mGuardSecureVpnClient), subdirectory CaCerts. The file extension of the CA certificate must be pem. Otherwise the VPN Client won t find the CA certificate. If the PEM export of the CA certificate has another extension, rename it as pem. To verify that the VPN Client can load the CA certificate, select Connection > Certificates > Display CA Certificates from the menu. The subject of the CA certificate should be displayed, marked with a green checkmark. Document ID: I15004_en_01 Version 1.1 Page 11 of 23

12 5.1.2 VPN Client Certificate Select Configuration > Certificates from the menu. Click <Add>. 1) Enter a descriptive name for the certificate. 2) Select from PKCS#12 file. 3) Click < > and open the PKCS#12 export of the VPN client certificate. If you have chosen a password with less than 6 characters when exporting the VPN client certificate as PKCS#12, switch to the tab PIN Policy and change the minimum number of required characters to match the password length. 4) Click <OK>. The name of the certificate is displayed in the Certificate configuration list. Click <Close>. 5.2 Basic Configuration with the Wizard Select Configuration > Profiles from the menu. Click <Add/Import>. 1) Select Manually configure profile. 2) Click <Next>. Document ID: I15004_en_01 Version 1.1 Page 12 of 23

13 1) Enter a descriptive name for the VPN connection. 2) Click <Next>. 1) Select Certificate for Authentication. 2) Select the VPN client s certificate which was imported in chapter VPN Client Certificate. 3) Click <Next>. 1) Enter either the static public IP address of the mguard or its DNS name. 2) Click <Next>. Document ID: I15004_en_01 Version 1.1 Page 13 of 23

14 1) Leave the default settings (Exchange Mode=main mode, PFS Group=DH- Group 5) and click <Next>. 1) Leave Type=ASN1 Distinguished Name. 2) Click <Next>. 1) Select Manual IP Address. 2) Enter the virtual IP which should be used by the VPN Client, in our example This virtual IP can be used for accessing the client through the tunnel from the internal network of the mguard. 3) Click <Next>. Document ID: I15004_en_01 Version 1.1 Page 14 of 23

15 1) Click <Add>. 2) Enter the network and the subnet mask of the internal network of the mguard, in our example / , and click <OK>. 3) Click <Finish>. The new connection is created and displayed as Connection Profile. Document ID: I15004_en_01 Version 1.1 Page 15 of 23

16 5.3 Specific Connection Settings After configuring the basic setting of the connection with the Wizard, some default settings need to be adjusted. From the menu, select Configuration > Profiles. Select the VPN connection and click <Edit>. 1) Select Line Management. 2) Select whether the VPN connection should be established manually, on traffic or always. 3) If desired, increase the inactivity timeout to allow a convenient work (default=100s). 1) Select IPsec General Settings. 2) Select RSA-AES256-SHA512. 3) Select DH-Group 5. 4) Select ESP-AES256-SHA256. 5) Click <OK>. Now the configuration of the VPN Client is finished. Document ID: I15004_en_01 Version 1.1 Page 16 of 23

17 5.4 Start/Stop the VPN Connection Start the VPN connection Stop the VPN connection When starting the VPN connection, you ll be prompted to enter the PIN. The PIN is the password which protects the PKCS#12 export of the VPN Client certificate against unauthorized usage (refer to X.509 Certificates). If the VPN connection was established successfully, the VPN Client displays Connection established. If the VPN Client displays an error message instead, proceed with the next chapter to narrow down the reason for the problem. Document ID: I15004_en_01 Version 1.1 Page 17 of 23

18 6 Troubleshooting To narrow down a problem, you should: 1) Open the Log book of the VPN Client (menu Help > Logbook). 2) Know from which public IP address the VPN Client accesses the Internet. You can get this information through the web site (Your IP address is w.x.y.z) or (Your IP: is w.x.y.z). This information is required to find the according log entries in the logs of the mguard. 3) Get HTTPS access to the mguard, switch to the menu Logging > Browse local logs, uncheck all log types except IPsec VPN and click <Reload logs>. Click <Reload logs> after each connect attempt from the VPN Client. 6.1 Error: VPN gateway not responding (waiting for Msg 2) The VPN Client has sent the first message to initiate the VPN connection but did not get a response from the remote VPN gateway. This could have several reasons Logbook: Could not contact Gateway (No response) in state <Wait for Message 2> Is the default gateway reachable? On the Windows client on which the VPN Client is running, open a command prompt and execute the command ipconfig. C:\>ipconfig Ethernet adapter Local Area Connection: IPv4 Address : Subnet Mask : Default Gateway : If there is no default gateway specified for the Ethernet adapter, targets located in different networks cannot be reached. Check if pings to the IP address of the default gateway are replied (e.g.: ping ). If the pings are not replied, contact the system administrator of the network to get the correct settings Is the Internet reachable? Ping an IP address located in the Internet, e.g. ping If the pings are not replied it also won t be possible for the VPN Client to reach the mguard Is the specified IP address/dns name of the remote VPN peer correct? Edit the profile, go to IPsec General Settings and check the value of Gateway (Tunnel Endpoint). Document ID: I15004_en_01 Version 1.1 Page 18 of 23

19 Does the VPN initiating packet reach the mguard? Go to the mguard logging and check if the mguard registers incoming packets (received Vendor ID payload) from the public IP address of the VPN Client. packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] packet from :40676: received Vendor ID payload [RFC 3947] method set to=115 packet from :40676: received Vendor ID payload [Dead Peer Detection] If such entries do not appear in the mguard logging, most likely a firewall in-between the VPN Client and the mguard blocks traffic to UDP port mguard log: no connection has been authorized with policy packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] packet from :40676: received Vendor ID payload [RFC 3947] method set to=115 packet from :40676: received Vendor ID payload [Dead Peer Detection] packet from :40676: Innominate mguard found packet from :40676: received Vendor ID payload [Innominate mguard] packet from :40676: Innominate IKE Fragmentation found packet from :40676: received Vendor ID payload [Innominate IKE Fragmentation] packet from :40676: ignoring Vendor ID payload [Cisco IKE Fragmentation] packet from :40676: initial Main Mode message received on :500 but no connection has been authorized with policy=rsasig If this message appears with the public IP address of the VPN Client, the VPN initiating packet has reached the mguard but the mguard cannot find a corresponding VPN connection with the encryption, hash algorithm and Diffie-Hellman group proposed by the VPN Client. The problem is caused by a mismatch of the specified encryption or hash algorithm or Diffie- Hellman group for the ISAKMP SA. Edit the profile, go to IPsec General Settings and ensure that the same encryption and hash algorithms and Diffie-Hellman group are specified in the parameter IKE Policy as specified on the mguard in the VPN connection, tab IKE Options, section ISAKMP SA (key exchange) (refer to IKE Options). You do not need to check the Diffie-Hellman group if All is selected on the mguard. Document ID: I15004_en_01 Version 1.1 Page 19 of 23

20 6.1.2 Logbook: Could not contact Gateway (No response) in state <Wait for Message 6> mguard Log: no suitable connection for peer packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] packet from :40676: received Vendor ID payload [RFC 3947] method set to=115 packet from :40676: received Vendor ID payload [Dead Peer Detection] packet from :40676: Innominate mguard found packet from :40676: received Vendor ID payload [Innominate mguard] packet from :40676: Innominate IKE Fragmentation found packet from :40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI _1"[1] #41: responding to Main Mode from unknown peer "MAI _1"[1] #41: enabling Innominate IKE Fragmentation (main_ini1_outr1) "MAI _1"[1] #41: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 "MAI _1"[1] #41: STATE_MAIN_R1: sent MR1, expecting MI2 "MAI _1"[1] #41: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed "MAI _1"[1] #41: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 "MAI _1"[1] #41: STATE_MAIN_R2: sent MR2, expecting MI3 "MAI _1"[1] #41: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid= "MAI _1"[1] #41: Main mode peer ID is ID_DER_ASN1_DN: 'O=Innominate, OU=Support, CN=VPN Client' "MAI _1"[1] #41: no suitable connection for peer 'O=Innominate, OU=Support, CN=VPN Client' A wrong remote X.509 certificate was uploaded into the VPN connection on the mguard (refer to Authentication, steps 3 to 5). It is not the certificate used by the VPN Client mguard Log: ISAKMP Hash Payload has an unknown value after STATE_MAIN_R2 packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] packet from :40676: received Vendor ID payload [RFC 3947] method set to=115 packet from :40676: received Vendor ID payload [Dead Peer Detection] packet from :40676: Innominate mguard found packet from :40676: received Vendor ID payload [Innominate mguard] packet from :40676: Innominate IKE Fragmentation found packet from :40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI _1"[2] #44: responding to Main Mode from unknown peer "MAI _1"[2] #44: enabling Innominate IKE Fragmentation (main_ini1_outr1) "MAI _1"[2] #44: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 "MAI _1"[2] #44: STATE_MAIN_R1: sent MR1, expecting MI2 "MAI _1"[2] #44: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed "MAI _1"[2] #44: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 "MAI _1"[2] #44: STATE_MAIN_R2: sent MR2, expecting MI3 "MAI _1"[2] #44: next payload type of ISAKMP Hash Payload has an unknown value: 66 "MAI _1"[2] #44: next payload type of ISAKMP Hash Payload has an unknown value: 66 A VPN connection is established through UDP port 500. If the connection is established across one or more gateways with Network Address Translation (NAT) activated (indicated in the log), the port is switched to UDP port This problem is cause by a firewall in-between the VPN Client and the mguard, blocking traffic to UDP port Error: PKI error This error message indicates a problem with the certificates. The CA certificate, which was used to sign the mguard and the VPN Client certificate, is not present in the installation directory of the VPN Client (default: C:\Program Files\Innominate\ mguardsecurevpnclient), subdirectory CaCerts, or its extension is not pem (refer to CA Certificate). If the mguard and the VPN Client certificates were signed with different CA certificates, both CA certificates must be present in the above mentioned directory. 6.3 Error: IKE (phase 2) Waiting for Msg 2 The ISAKMP SA (phase 1) was established successfully. Now a problem occurred during the establishment of the IPsec SA (phase 2). Document ID: I15004_en_01 Version 1.1 Page 20 of 23

21 6.3.1 Logbook: RECEIVED : INVALID_ID_INFORMATION after SUCCESS: IKE phase 1 ready mguard Log: cannot respond to IPsec SA request because no connection is known for packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] packet from :40676: received Vendor ID payload [RFC 3947] method set to=115 packet from :40676: received Vendor ID payload [Dead Peer Detection] packet from :40676: Innominate mguard found packet from :40676: received Vendor ID payload [Innominate mguard] packet from :40676: Innominate IKE Fragmentation found packet from :40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI _1"[1] #49: responding to Main Mode from unknown peer "MAI _1"[1] #49: enabling Innominate IKE Fragmentation (main_ini1_outr1) "MAI _1"[1] #49: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 "MAI _1"[1] #49: STATE_MAIN_R1: sent MR1, expecting MI2 "MAI _1"[1] #49: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed "MAI _1"[1] #49: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 "MAI _1"[1] #49: STATE_MAIN_R2: sent MR2, expecting MI3 "MAI _1"[1] #49: Main mode peer ID is ID_DER_ASN1_DN: 'O=Innominate, OU=Support, CN=VPN Client' "MAI _1"[1] #49: I am sending my cert "MAI _1"[1] #49: Dead Peer Detection (RFC 3706): enabled "MAI _1"[1] #49: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 "MAI _1"[1] #49: new NAT mapping for #49, was :40676, now :19242 "MAI _1"[1] #49: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=oakley_rsa_sig cipher=aes_256 prf=oakley_sha2_512 group=modp1536} "MAI _1"[1] #49: the peer proposed: /24:0/0 -> /32:0/0 "MAI _1"[1] #49: cannot respond to IPsec SA request because no connection is known for { /24}=== [O=Innominate, OU=Support, CN=Central Gateway] [O=Innominate, OU=Support, CN=VPN Client]==={ /32} Mismatch of the specified local/remote VPN network. On the mguard, edit the VPN connection and go to the tab General (refer to General Settings) On the VPN Client, edit the profile and go to Local network. Ensure that the Remote network on the mguard has the same value as the IP address on the VPN Client. On the VPN Client, go to Remote network. Ensure that the Local network on the mguard has the same value as the Remote network on the VPN Client, including the correct subnet mask in CIDR notation (e.g = /24). Document ID: I15004_en_01 Version 1.1 Page 21 of 23

22 6.3.2 Logbook: RECEIVED : NO_PROPOSAL_CHOSEN after SUCCESS: IKE phase 1 ready mguard Log: IPsec Transform [...] refused due to strict flag packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 packet from :40676: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] packet from :40676: received Vendor ID payload [RFC 3947] method set to=115 packet from :40676: received Vendor ID payload [Dead Peer Detection] packet from :40676: Innominate mguard found packet from :40676: received Vendor ID payload [Innominate mguard] packet from :40676: Innominate IKE Fragmentation found packet from :40676: received Vendor ID payload [Innominate IKE Fragmentation] "MAI _1"[2] #55: responding to Main Mode from unknown peer "MAI _1"[2] #55: enabling Innominate IKE Fragmentation (main_ini1_outr1) "MAI _1"[2] #55: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 "MAI _1"[2] #55: STATE_MAIN_R1: sent MR1, expecting MI2 "MAI _1"[2] #55: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed "MAI _1"[2] #55: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 "MAI _1"[2] #55: STATE_MAIN_R2: sent MR2, expecting MI3 "MAI _1"[2] #55: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid= "MAI _1"[2] #55: Main mode peer ID is ID_DER_ASN1_DN: 'O=Innominate, OU=Support, CN=VPN Client' "MAI _1"[2] #55: I am sending my cert "MAI _1"[2] #55: Dead Peer Detection (RFC 3706): enabled "MAI _1"[2] #55: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 "MAI _1"[2] #55: new NAT mapping for #55, was :40676, now :19242 "MAI _1"[2] #55: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=oakley_rsa_sig cipher=aes_256 prf=oakley_sha2_512 group=modp1536} "MAI _1"[2] #55: the peer proposed: /24:0/0 -> /32:0/0 "MAI _1"[2] #56: IPsec Transform [ESP_AES (256), AUTH_ALGORITHM_HMAC_SHA2_256] refused due to strict flag Mismatch of the specified encryption or hash algorithms for the IPsec SA. Edit the profile, go to IPsec General Settings and ensure that the same encryption and hash algorithms are specified in the parameter IPsec Policy as specified on the mguard in the VPN connection, tab IKE Options, section IPsec SA (data exchange) (refer to IKE Options). Document ID: I15004_en_01 Version 1.1 Page 22 of 23

23 6.4 Required Data when requesting Support If you encounter problems and need support, please provide the following information/data: 1) mguard Snapshot (configuration and logs without private information) It is important that you download the snapshot after a failed connection. From the menu, select Support > Advanced, tab Snapshot. Click <Download> and store the file snapshot.tar.gz on a local system. 2) The public IP address through which the VPN Client accesses the Internet You can get this information through the web site (Your IP address is w.x.y.z) or (Your IP: is w.x.y.z). This information is required to find the corresponding log entries in the logs of the mguard. 3) The configuration file ncpphone.cfg of the VPN Client which is located in the installation directory of the client. 4) The file InnominateSupport.zip. Click Help > Support Assistant > [nothing needs to be changed here] > Next > Next, then click C:\Users\... \InnominateSupport.zip in the dialog to copy and provide the zip file. Document ID: I15004_en_01 Version 1.1 Page 23 of 23